feat:add payment return

Author: fullstacksherpa

cmd/api/payment.go

@@ -17,6 +17,12 @@ import (
 	"time"
 )
 
+// Flow:
+// 1. User completes payment on Esewa/Khalti
+// 2. Gateway redirects to your Go endpoint
+// 3. Go endpoint tries Khel://payment/return which open mobile app
+//    if app is not installed then fallback to webpage /payments/return
+
 // redirectToAppReturn serves an HTML page that:
 // 1) tries to open your app via deep link: khel://payments/return?...params...
 // 2) falls back to a web URL if the app is not installed
@@ -295,7 +301,7 @@ func (app *application) verifyEsewaResponseSignature(totalAmount, transactionUUI
 // /v1/store/payments/esewa/return?result=success|failure&data=<base64_json>
 //
 // This is the *canonical* completion endpoint for eSewa.
-// eSewa redirects the user's browser/webview here after payment.
+// eSewa hit this endpoint after payment.
 // We do NOT trust the redirect payload alone; we:
 // 1) decode base64 payload
 // 2) verify signature (integrity check)
@@ -308,9 +314,34 @@ func (app *application) esewaReturnHandler(w http.ResponseWriter, r *http.Reques
 	ctx, cancel := context.WithTimeout(r.Context(), 15*time.Second)
 	defer cancel()
 
+	// --------------------------------------------------------------------
+	// Defensive query normalization:
+	//
+	// eSewa (or misconfigured URLs) can sometimes produce a malformed query string like:
+	//   ?payment_id=9&result=success?data=BASE64
+	//                           ^ second "?"
+	//
+	// In that case, Go's URL parser will treat everything after the second "?" as part of
+	// the previous param value, and r.URL.Query().Get("data") will be empty.
+	//
+	// We recover by rewriting "?data=" into "&data=" inside RawQuery.
+	// This is safe because "data=" is supposed to be another query parameter.
+	// --------------------------------------------------------------------
+
+	raw := r.URL.RawQuery
+	if !strings.Contains(raw, "data=") && strings.Contains(raw, "?data=") {
+		parts := strings.SplitN(raw, "?data=", 2)
+		if len(parts) == 2 {
+			r.URL.RawQuery = parts[0] + "&data=" + parts[1]
+		}
+	}
+
+	// Now it's safe to read query params.
 	result := strings.ToLower(strings.TrimSpace(r.URL.Query().Get("result")))
 	dataB64 := strings.TrimSpace(r.URL.Query().Get("data"))
+
 	if dataB64 == "" {
+		// No base64 payload => can't verify. Return to app as failed.
 		app.redirectToAppReturn(w, "failed", 0, 0, "esewa", "", "", "missing_data")
 		return
 	}

cmd/api/sales.go

@@ -17,28 +17,47 @@ import (
 	"github.com/go-chi/chi/v5"
 )
 
-// ============ CART ============
-
-// GET /v1/store/cart
+// GetCart godoc
+//
+// @Summary		Get user's cart
+// @Description	Retrieves the current user's active or checkout_pending shopping cart
+// @Tags			User-Cart
+// @Accept		json
+// @Produce		json
+// @Success		200	{object}	CartView	"Cart retrieved successfully"
+// @Failure		401	{object}	error		"Unauthorized"
+// @Failure		500	{object}	error		"Internal Server Error"
+// @Security		ApiKeyAuth
+// @Router		/store/cart [get]
 func (app *application) getCartHandler(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
 	defer cancel()
 
 	user := getUserFromContext(r)
 	userID := user.ID
 
-	// optional: ensure cart exists
-	if _, err := app.store.Sales.Carts.EnsureActive(ctx, userID); err != nil {
-		app.internalServerError(w, r, err)
-		return
-	}
-
 	view, err := app.store.Sales.Carts.GetView(ctx, userID)
 	if err != nil {
 		app.internalServerError(w, r, err)
 		return
 	}
 
+	if view == nil {
+		// Create a new cart
+		cartID, err := app.store.Sales.Carts.GetOrCreateCart(ctx, userID)
+		if err != nil {
+			app.internalServerError(w, r, err)
+			return
+		}
+
+		// Get the newly created cart view
+		view, err = app.store.Sales.Carts.GetViewByCartID(ctx, cartID)
+		if err != nil {
+			app.internalServerError(w, r, err)
+			return
+		}
+	}
+
 	app.jsonResponse(w, http.StatusOK, view)
 }
 
@@ -722,8 +741,10 @@ func (app *application) verifyPaymentHandler(w http.ResponseWriter, r *http.Requ
 		if in.Data["total_amount"] == "" {
 			in.Data["total_amount"] = fmt.Sprintf("%.2f", float64(pay.AmountCents)/100.0)
 		}
-		// product_code ideally injected from config; if missing you can set it here too:
-		// in.Data["product_code"] = app.config.Payments.EsewaMerchantCode
+		// ✅ REQUIRED for eSewa verify
+		if in.Data["product_code"] == "" {
+			in.Data["product_code"] = app.config.payment.Esewa.MerchantID
+		}
 	}
 
 	txid := ""

cmd/api/users.go

@@ -75,8 +75,8 @@ func (app *application) uploadProfilePictureHandler(w http.ResponseWriter, r *ht
 		PublicID:  fmt.Sprintf("/%d", userID), // Save with userID as filename
 		Overwrite: overwrite,
 		// Replace old profile pic
-		Folder:         "profile_pictures",          // Organized storage
-		Transformation: "w_300,h_300,c_fill,q_auto", // Resize to 300x300, auto quality
+		Folder:         "profile_pictures", // Organized storage
+		Transformation: "w_128,h_128,c_fill,q_auto,f_auto",
 	}
 	uploadResult, err := app.cld.Upload.Upload(ctx, file, uploadParams)
 	if err != nil {
@@ -130,9 +130,9 @@ func (app *application) updateProfilePictureHandler(w http.ResponseWriter, r *ht
 	// Upload the new file to Cloudinary with specific PublicID to ensure replacement
 	uploadParams := uploader.UploadParams{
 		Folder:         "profile_pictures",
-		Overwrite:      boolPtr(true),               // Ensure overwrite of the existing file
-		Transformation: "w_300,h_300,c_fill,q_auto", // Optional transformations (e.g., resizing)
-		PublicID:       fmt.Sprintf("/%d", userID),  // Use userID as the PublicID to replace the old image
+		Overwrite:      boolPtr(true),                      // Ensure overwrite of the existing file
+		Transformation: "w_128,h_128,c_fill,q_auto,f_auto", // Optional transformations (e.g., resizing)
+		PublicID:       fmt.Sprintf("/%d", userID),         // Use userID as the PublicID to replace the old image
 	}
 
 	uploadResult, err := app.cld.Upload.Upload(r.Context(), file, uploadParams)
@@ -359,7 +359,7 @@ func (app *application) editProfileHandler(w http.ResponseWriter, r *http.Reques
 	}
 
 	// Handle optional image upload
-	var newURL string
+	var newURL *string
 	file, header, err := r.FormFile("profile_picture")
 	if err == nil {
 		defer file.Close()
@@ -372,24 +372,15 @@ func (app *application) editProfileHandler(w http.ResponseWriter, r *http.Reques
 			PublicID:       fmt.Sprintf("/%d", userID),
 			Overwrite:      boolPtr(true),
 			Folder:         "profile_pictures",
-			Transformation: "w_300,h_300,c_fill,q_auto",
+			Transformation: "w_128,h_128,c_fill,q_auto,f_auto",
 		}
 		res, err := app.cld.Upload.Upload(r.Context(), file, uploadParams)
 		if err != nil {
 			http.Error(w, "upload failed", http.StatusInternalServerError)
 			return
 		}
-		newURL = res.SecureURL
-	}
-
-	// If no image was provided, keep existing URL:
-	if newURL == "" {
-		old, err := app.store.Users.GetProfileUrl(r.Context(), userID)
-		if err != nil {
-			app.internalServerError(w, r, err)
-			return
-		}
-		newURL = old
+		u := res.SecureURL
+		newURL = &u
 	}
 
 	// 4) Call our new UpdateAndUpload

internal/domain/carts/carts.go

@@ -50,10 +50,56 @@ WHERE user_id = $1
 	return err
 }
 
+// GetOrCreateCart returns the user's current cart (active or checkout_pending)
+// or creates a new active cart if none exists
+func (r *Repository) GetOrCreateCart(ctx context.Context, userID int64) (int64, error) {
+	var id int64
+	var status string
+
+	// First, try to get ANY current cart (active or checkout_pending)
+	err := r.db.QueryRow(ctx, `
+SELECT id, status
+FROM carts
+WHERE user_id = $1
+  AND (status = 'active' OR status = 'checkout_pending')
+  AND (expires_at IS NULL OR expires_at > now())
+ORDER BY 
+    CASE status 
+        WHEN 'checkout_pending' THEN 1 
+        WHEN 'active' THEN 2 
+    END,
+    updated_at DESC
+LIMIT 1
+`, userID).Scan(&id, &status)
+
+	if err == nil {
+		// Found an existing cart
+		return id, nil
+	}
+
+	if !errors.Is(err, pgx.ErrNoRows) {
+		// Real DB error
+		return 0, fmt.Errorf("get cart: %w", err)
+	}
+
+	// No cart exists → create new active cart
+	exp := time.Now().Add(r.ttl)
+	if err := r.db.QueryRow(ctx, `
+INSERT INTO carts (user_id, guest_token, status, expires_at)
+VALUES ($1, NULL, 'active', $2)
+RETURNING id
+`, userID, exp).Scan(&id); err != nil {
+		return 0, fmt.Errorf("create cart: %w", err)
+	}
+
+	return id, nil
+}
+
 // --- User flows ---
 
 // EnsureActive returns an existing active cart id or creates a new one with TTL.
 // It only sets expires_at when creating a cart; it does NOT bump TTL for existing carts.
+// if you want checkout_pending state too use GetOrCreateCart method
 func (r *Repository) EnsureActive(ctx context.Context, userID int64) (int64, error) {
 	var id int64
 
@@ -220,26 +266,36 @@ func (r *Repository) UnlockCheckoutCart(ctx context.Context, orderID int64) erro
 //
 // We only convert carts that are explicitly linked to the order via checkout_order_id
 // AND currently in 'checkout_pending'. This prevents converting a wrong cart due to bugs
-// or race conditions.
+// or race conditions. remember db constraint if converted then checkout_order_id=null
 func (r *Repository) ConvertCheckoutCart(ctx context.Context, orderID int64) error {
 	_, err := r.db.Exec(ctx, `
 		UPDATE carts
-		   SET status='converted', updated_at=now()
-		 WHERE checkout_order_id=$1 AND status='checkout_pending'
+		   SET status='converted',
+		       checkout_order_id=NULL,
+		       updated_at=now()
+		 WHERE checkout_order_id=$1
+		   AND status='checkout_pending'
 	`, orderID)
 	return err
 }
 
-// Get active cart view by user
+// Get active cart or checkout_pending view by user
 func (r *Repository) GetView(ctx context.Context, userID int64) (*CartView, error) {
 	var v CartView
 
 	err := r.db.QueryRow(ctx, `
-SELECT id, user_id, guest_token, status, expires_at, created_at, updated_at
+SELECT id, user_id, guest_token, status, expires_at, created_at, updated_at, checkout_order_id
 FROM carts
 WHERE user_id = $1
-  AND status = 'active'
+  AND (status = 'active' OR status = 'checkout_pending')
   AND (expires_at IS NULL OR expires_at > now())
+ORDER BY 
+    CASE status 
+        WHEN 'checkout_pending' THEN 1 
+        WHEN 'active' THEN 2 
+        ELSE 3 
+    END,
+    updated_at DESC
 LIMIT 1
 `, userID).Scan(
 		&v.Cart.ID,
@@ -249,6 +305,7 @@ LIMIT 1
 		&v.Cart.ExpiresAt,
 		&v.Cart.CreatedAt,
 		&v.Cart.UpdatedAt,
+		&v.Cart.CheckoutOrderID,
 	)
 
 	if err != nil {
@@ -266,7 +323,7 @@ func (r *Repository) GetViewByCartID(ctx context.Context, cartID int64) (*CartVi
 	var v CartView
 
 	if err := r.db.QueryRow(ctx, `
-SELECT id, user_id, guest_token, status, expires_at, created_at, updated_at
+SELECT id, user_id, guest_token, status, expires_at, created_at, updated_at, checkout_order_id
 FROM carts
 WHERE id = $1
 `, cartID).Scan(
@@ -277,6 +334,7 @@ WHERE id = $1
 		&v.Cart.ExpiresAt,
 		&v.Cart.CreatedAt,
 		&v.Cart.UpdatedAt,
+		&v.Cart.CheckoutOrderID,
 	); err != nil {
 		if errors.Is(err, pgx.ErrNoRows) {
 			return nil, fmt.Errorf("cart not found")
@@ -287,6 +345,7 @@ WHERE id = $1
 	return r.fillLines(ctx, &v, cartID)
 }
 
+// fillLines fetches cart items for any cartID, calculates totals directly and return the CartView structure
 func (r *Repository) fillLines(ctx context.Context, v *CartView, cartID int64) (*CartView, error) {
 	rows, err := r.db.Query(ctx, `
 SELECT 

internal/domain/carts/types.go

@@ -6,13 +6,14 @@ import (
 )
 
 type Cart struct {
-	ID         int64      `json:"id"`
-	UserID     *int64     `json:"user_id,omitempty"`
-	GuestToken *string    `json:"guest_token,omitempty"`
-	Status     string     `json:"status"` // active, converted, abandoned
-	ExpiresAt  *time.Time `json:"expires_at,omitempty"`
-	CreatedAt  time.Time  `json:"created_at"`
-	UpdatedAt  time.Time  `json:"updated_at"`
+	ID              int64      `json:"id"`
+	UserID          *int64     `json:"user_id,omitempty"`
+	GuestToken      *string    `json:"guest_token,omitempty"`
+	Status          string     `json:"status"` // active, converted, abandoned, checkout_pending
+	ExpiresAt       *time.Time `json:"expires_at,omitempty"`
+	CreatedAt       time.Time  `json:"created_at"`
+	UpdatedAt       time.Time  `json:"updated_at"`
+	CheckoutOrderID *int64     `json:"checkout_order_id,omitempty"`
 }
 
 type CartItem struct {
@@ -45,6 +46,7 @@ type CartLine struct {
 
 type Store interface {
 	// --- User-level operations ---
+	GetOrCreateCart(ctx context.Context, userID int64) (int64, error)
 	EnsureActive(ctx context.Context, userID int64) (int64, error)
 	AddItem(ctx context.Context, userID, variantID int64, qty int) error
 	UpdateItemQty(ctx context.Context, userID, itemID int64, qty int) error

internal/domain/orders/orders.go

@@ -164,6 +164,7 @@ func (r *Repository) CreateFromCart(
 		cmd, err := r.q.Exec(ctx, `
 	UPDATE carts
 	   SET status='converted',
+	     checkout_order_id=NULL,
 	       updated_at=now()
 	 WHERE id=$1
 	   AND status='active'::cart_status

internal/domain/paymentsrepo/paymentsrepo.go

@@ -90,19 +90,35 @@ func (r *Repository) SetPrimaryToOrder(ctx context.Context, orderID, paymentID i
 }
 
 func (r *Repository) MarkPaid(ctx context.Context, paymentID int64) error {
+	// 1️⃣ Mark payment as paid
 	_, err := r.q.Exec(ctx, `
 		UPDATE payments
-		   SET status='paid'::payment_status, updated_at=now()
-		 WHERE id=$1;
+		   SET status='paid'::payment_status,
+		       updated_at=now()
+		 WHERE id=$1
+	`, paymentID)
+	if err != nil {
+		return fmt.Errorf("mark payment paid: %w", err)
+	}
 
+	// 2️⃣ Mark order as paid + processing
+	_, err = r.q.Exec(ctx, `
 		UPDATE orders
 		   SET payment_status='paid'::payment_status,
 		       status='processing'::order_status,
 		       paid_at=now(),
 		       updated_at=now()
-		 WHERE id=(SELECT order_id FROM payments WHERE id=$1);
+		 WHERE id = (
+		   SELECT order_id
+		     FROM payments
+		    WHERE id=$1
+		 )
 	`, paymentID)
-	return err
+	if err != nil {
+		return fmt.Errorf("mark order paid: %w", err)
+	}
+
+	return nil
 }
 
 func (r *Repository) SetStatus(ctx context.Context, paymentID int64, status string) error {